tele9752wikiaorg-20200213-history
Xx05
Background: Know: Recognize: Prerequisites - UTP, hub Anticipates: VLANs xxQR Port Mirroring Port (or interface) mirroring is a method of monitoring network traffic. It duplicates each incoming packet on a selected interface of a switch. The original packet is sent to the destination interface that is mapped in the table, while at the same time a duplicate copy of the packet is sent to a pre-configured mirroring destination interface where the packet can be studied.1 Background Port mirroring also called Switch Port Analyzer (SPAN) allows sniffing traffic on a network. When using a switch in figure 1, one can see how a typical switch will read the forward/filter table and then send traffic out of the destination port only. Figure 1 Switch send frames out the destination port only 2 It works well but a problem arises when one needs to sniff traffic on the network. Figure 1 illustrates this issue and a solution to it. In this figure, one can see that the sniffer is not seeing data coming from host A to Host B. To solve this little problem, a hub can be placed temporarily between host A and host B, as demonstrated in Figure 2. Figure 2 Place a hub between two hosts to troubleshoot This method will allow seeing the frames being sent from host A to host B, but the bad news is that by doing this; you will bring down the network temporarily. The port mirroring option allows placement of a port in spanning mode, so that, every frame from host A is captured by host B as well as the sniffer as shown in figure 3. Figure 3 Port Mirroring When using port mirroring one needs to be careful because it can cause a lot of overhead on the switch and possibly crash your network. So it is a good idea to use this feature at strategic times and only for short periods if possible. 2 Implementation of port mirroring technique The port mirroring analysis technique is very important; it is a special method that allows an analyzer to be plugged into a switch port. In order to invoke port mirroring usually involves specialized commands. 8 These commands may vary from manufacturer to manufacturer. Certain parameters or commands may need to be invoked in the vendor switched management system also to allow port mirroring to take place. 3 Importance in Network management Network Operator uses port mirroring feature of bridge as a diagnostic tool or debugging feature.Port mirroring can be used for analysis and debugging as it enables close tracking of the switch performance.7 Some devices, such as the sensor on an IDS/IPS system, require the ability to monitor all network traffic. Since the VLANS separate the traffic for security reasons, monitoring all traffic sometimes require getting a copy of network packets from one switch port sent to another switch port, so in port mirroring whatever data is bring forwarded through a particular switch is copied strictly for the purpose of monitoring and logging them. It is becoming a more common practice as organizations continue to install more IDS/IPS systems. 9 It is referred to as Switch port analyzer (SPAN) on CISCO switches and as Roving Analysis Port (RAP) on 3com switches. 5 It is commonly used for bridge/switch that requires monitoring of network traffic on link that do not allow insertion of an analyzer (point to point UTP between switch and host) and do not have a hub. Output from port mirror analysis could decide the mode of forwarding for a switch, i.e. store and forward or cut-through. Thus port mirroring can play an important role in network monitoring and control, especially in fault management, checking network security and thus improvement of quality of service over consumer broadband links. more useful content, originally from Li ZENG for slide AU, shifted here by Tim Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion-detection system. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN); some other vendors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches. An example of a SPAN configuration on a Cisco 2950 Switch is below. Monitor session 1 source interface fastethernet 0/1 , 0/2 , 0/3 Monitor session 1 destination interface fastethernet 0/4 encap ingress vlan 1 The above example mirrors data from ports 0/1, 0/2 and 0/3 to the destination port 0/4 using vlan1 for vlan tagging. Port Mirroring is useful when want to analyse traffic on a link that doesn't allow insertion of an analyser (e.g. point-to-point UTP between host and switch) and don't have a hub. Technical Papers For Further Reading Hyper spector: Virtual Distributed monitoring environments for secure intrusion detection Self checking network protocol: a monitor based approach An online help framework for web application An architecture for automated network control of QOS over consumer broadband links See also Corresponding TELE9752 lecture slide References [1 Rapid IO: embedded system interconnect] [2 CompTIA Network + Deluxe Study Guide] [3 Network Performance Base lining] [4 JUNOS High Availability] [5 CompTIA Network + Review Guide] [6 Traffic trace artifacts due to monitoring via port mirroring] [7 How to find out what is happening on your network using SPAN or Port mirroring (Youtube Video)] http://www.youtube.com/watch?v=anmidey6zrw [8 Port mirroring Set up and Demo (Youtube Video)] [9] IDS and IPS placement for network protection Category:All